CVE-2025-47823 identifies a security vulnerability in Flock Safety License Plate Reader (LPR) devices running firmware versions up to 2.2. The vulnerability is classified under CWE-259, which refers to the use of hard-coded passwords. Specifically, these LPR devices contain a hardcoded password for a system component, which is embedded in the firmware and cannot be changed by the user. This practice introduces a significant security risk because if the hardcoded password becomes known or is discovered by an attacker, it can be used to gain unauthorized access to the device or its management interface. The CVSS v3.1 base score for this vulnerability is 2.2, indicating a low severity level. The vector string (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N) reveals that the attack requires physical access (AV:P), has high attack complexity (AC:H), requires no privileges (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality is low (C:L), with no impact on integrity or availability. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability arises because hardcoded passwords are static and cannot be rotated or revoked, making them a persistent security weakness. Attackers with physical access to the device could potentially extract or guess the hardcoded password, leading to unauthorized access or control over the LPR device, which could undermine the security and privacy functions of the system.

For European organizations deploying Flock Safety LPR devices, this vulnerability poses a risk primarily in environments where physical access to the devices can be obtained by unauthorized individuals. The potential impact includes unauthorized access to the LPR system, which could lead to exposure of sensitive data such as license plate information, undermining privacy protections and possibly violating GDPR regulations. Although the vulnerability is rated low severity due to the requirement of physical access and high attack complexity, the strategic use of LPR devices in law enforcement, private security, and urban monitoring means that exploitation could erode trust in these systems and disrupt surveillance operations. Additionally, compromised devices could be manipulated to provide false data or be disabled, affecting operational integrity. European organizations must consider the implications for data protection compliance and the reputational damage that could arise from breaches involving surveillance data.

Given the absence of an official patch, European organizations should implement compensating controls to mitigate this vulnerability. First, restrict physical access to LPR devices by installing them in secure, tamper-evident enclosures and monitoring them with additional surveillance. Second, conduct regular physical inspections to detect any signs of tampering. Third, network segmentation should be enforced so that even if an attacker gains access to the device, lateral movement within the network is limited. Fourth, monitor device logs and network traffic for unusual activity that could indicate exploitation attempts. Fifth, engage with the vendor (Flock Safety) to obtain firmware updates or guidance on removing or changing the hardcoded password. Finally, consider deploying additional authentication layers or integrating the devices with centralized access management systems where possible to reduce reliance on device-level passwords.